Access Badge Security Tips 101

In today’s world, organizations seem to focus on things like new viruses and missing patches when they think about securing their environment. Physical security seems to have become an afterthought. As a penetration tester who has performed numerous social engineering engagements and seen firsthand the role physical security plays in protecting organizations and their sensitive data, I wanted to share a few badge security tips on how you can help keep your organization safe from a physical attack.

What’s the Risk?

Most of us carry around a white plastic card the size of a standard credit card, which we commonly refer to as our badge that has been provided by our employer. Typically, we scan this badge on a wall-mounted reader to gain entry into our office or other sensitive areas of the building. As long as we do not lose the badge, what’s the risk?

Well, these badges use radio frequency identification (RFID) technology to interact with the reader. The reader puts out an energy field, waiting for a badge to come within range. When a badge enters the energy field, the data from the badge is interpreted by the reader to validate that the badge holder has access to open that door.

The risk with these badges is that an attacker can impersonate a reader in order to obtain the data from the badge. The attacker can then copy that data onto a blank badge and use it to open the same doors to which the legitimate badge holder would normally have access.

How Do I Protect My Badge?

One easy step you can take to protect your badge is to keep it out of sight of others when you are out of the office. Attackers have been known to visit restaurants and bars around their targeted organizations in search of an employee displaying a badge. The attacker can then use a scanning device, such as a Proxmark,1 to copy the data off of the badge without even coming into contact with it. Depending on the device the attacker uses, the attacker can read a badge up to several feet away without the badge holder’s knowledge.

Of course, even when you conceal your badge, an attacker can logically assume that you might have your badge in your wallet or purse. They can then use their scanning device within the proximity of your wallet or purse and hope that they get close enough to obtain the data from the badge. It’s not unusual for people to bump into each other in a crowded area, and attackers often employ this technique to get close to their targets.

A technique for protecting your badge that goes beyond just keeping your badge out of sight is to use an RFID-blocking wallet or sleeve. An RFID-blocking wallet or sleeve is typically lined with copper to block the RF signals. The wallets and sleeves are relatively inexpensive and can be purchased at a variety of stores and online.

Lastly, consider leaving your work badge at home if you do not require it when going out. While this might seem like the easiest and most obvious way to protect your badge, this could also be problematic if you end up accidentally leaving it at home the next day. You’ll want to decide for yourself if this option is workable for you.

Why Is Access Badge Security Important?

Whether it’s through network security or physical security, the first step an attacker takes in compromising an organization involves gaining entry into that organization. Even if your badge does not provide access to sensitive areas in your office, it most likely provides you access through the main entrance at a minimum. Gaining general access is all an attacker needs to convince people that they belong in the building. From there, the attacker can try to exploit any number of attack vectors to gain access to sensitive areas or data. Taking a few simple steps to safeguard your badge can go a long way in protecting your organization from someone that does not belong there.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

Latest Insights

About The Author

Michael Vieau, CISSP, CEH

Michael Vieau is a Managing Consultant with the Sikich Cybersecurity practice. Michael takes great pride in furthering his education to maximize his value to clients. His academic background augments his already extensive experience in information technology, health care, and manufacturing industries. His familiarity with these fields makes him an excellent resource for organizations looking to tackle compliance mandates from NIST to CIS and beyond.